A high-severity vulnerability exists in the WP Import Export Lite plugin for WordPress, allowing an attacker to upload malicious files to a target website. Successful exploitation could lead to a complete compromise of the web server, enabling data theft, website defacement, or further attacks on the organization's network. Organizations using this plugin are at significant risk and should take immediate action.

The vulnerability is an arbitrary file upload within the plugin's import functionality. The wpie_tempalte_import function fails to properly validate the file type of an uploaded template file. An attacker can exploit this by crafting a malicious file with an executable extension (e.g., .php) and uploading it through the import mechanism, bypassing any security checks. Once the malicious file is on the server, the attacker can access it via a URL to execute code, effectively creating a backdoor for complete server control.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit would have a severe business impact, potentially leading to a full compromise of the affected WordPress website and the underlying server. Consequences include the theft of sensitive data such as customer information, user credentials, and payment details; reputational damage from website defacement; and financial loss from business disruption or regulatory fines. The compromised server could also be leveraged to attack other systems within the network or used as part of a botnet for malicious activities like sending spam or launching DDoS attacks.

Immediate Action: Immediately update the WP Import Export Lite plugin to the latest available version that addresses this vulnerability. If the plugin is not critical to business operations, the recommended course of action is to disable and completely remove it to eliminate the attack surface.

Proactive Monitoring: Security teams should monitor web server access logs for suspicious POST requests to endpoints associated with the WP Import Export Lite plugin. Implement file integrity monitoring (FIM) to watch for the creation of unexpected files (especially with extensions like .php, .phtml, .phar) in WordPress upload directories. Network traffic should be monitored for unusual outbound connections from the web server, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, implement a Web Application Firewall (WAF) with rules to block the upload of executable file types. Additionally, harden web server configurations to disallow script execution from the WordPress uploads directory. Restricting access to the WordPress admin dashboard to trusted IP addresses can also reduce the risk of an attacker accessing the vulnerable import function.

Public Exploit Available: false

Given the high CVSS score of 7.5 and the critical impact of a successful arbitrary file upload attack, we strongly recommend immediate remediation. Organizations must prioritize updating the WP Import Export Lite plugin to a patched version or removing it entirely from their WordPress sites. Although this CVE is not currently on the CISA KEV list, its nature makes it a highly attractive target for attackers. A proactive approach is essential to prevent a potentially devastating website compromise.